lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <43797949.6020703@xfocus.org>
Date: Tue Nov 15 06:00:18 2005
From: alert7 at xfocus.org (alert7@...cus.org)
Subject: [xfocus-AD-051115]Multiple antivirus failed to
 scan malicous filename bypass vulnerability

[xfocus-AD-051115]Multiple antivirus failed to scan malicous filename
bypass vulnerability

discoverer by killer@...cus.org
class: design error
Threat level: medium


Vulnerable anti-virus Engine:

    Kaspersky Antivirus
    Symantec AntiVirus
    F-Prot Antivirus
    ClamWin Antivirus
    Avast Antivirus
    RAV AntiVirus
    Microsoft AntiSpyware

tested anti-virus vendor:

    Symantec AntiVirus Corporate 8.0
    Kaspersky Antivirus Personal Pro 4.5.0.104
    Kaspersky Antivirus For MS NTServer 4.5.0.104
    F-Prot Antivirus 3.16c
    ClamWin Antivirus 0.87
    Avast.Professional.Edition.v4.6.603
    RAV.AntiVirus.Desktop.v8.6
    Microsoft AntiSpyware beta1


1.Summary:
------------

   Windows system may use the many kinds of special mark as filename,
some anti-virus engines are unable to analyze the special structure
document filename, thus failed to file operate.


2. Detail:
------------
   Demonstration here:

   Choose a malicious file which would be detected, such as nc.exe,
rename the file as nc??.exe (?? =Hex C0 D7 BA DC)

   Then these malicious files will be not detected by antivirus scan.

   Because these special names are unable directly to input, so if you
want to run these file, you should use the following way:

   [ROOT@D:\Vul\bugtrap]#dir /x

   1998-01-03  14:37            59,392 NC294E~1.EXE nc??.exe

   [ROOT@D:\Vul\bugtrap]#NC294E~1.EXE -help
   [v1.10 NT]
   connect to somewhere:   nc [-options] hostname port[s] [ports] ...
   listen for inbound:     nc -l -p port [options] [hostname] [port]
   options:

   Uses the MS-DOS name specification, we can operate file with OpenĦ˘
ReadĦ˘WriteĦ˘ and duplicateĦ£

   In fact the most vendor all have the problem in regarding this king
of file parse: For instance use the right key clicks these kinds of
file, will be no scan option menu to show by Kaspersky antivirus, and
Symantec AntiVirus Corporate V10.0.1.1000 will detected but can't remove
it. AVG Anti-Virus will be passed by normally path scan mothod, but
can't read the file if click the scan option menu.


3. Credits:
------------
   Thank xundi@...cus.org translate it, thx all members of xfocus team
and all support xfocus team.


4. About xfocus:
------------

	Xfocus is a non-profit and free technology organization which was
founded in 1998 in China. We are devoting to research and demonstration
of weaknesses related to network services and communication security.

	homepage http://www.xfocus.org/

-----EOF

-- 

Kind Regards,

---
alert7@...cus.org

XFOCUS Security Team
http://www.xfocus.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ